ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

AWI: Enforce SSO not working with KDC_LOGIN_FORCED set to Y

book

Article ID: 212715

calendar_today

Updated On:

Products

CA Automic Workload Automation - Automation Engine

Issue/Introduction

Kerberos authentication authentication has been successfully implemented and users are able to authenticate using the 'Use Kerberos login' checkbox.


 The scope is now to force the Kerberos authentication exclusively by setting KDC_LOGIN_FORCED (UC_CLIENT_SETTNGS)

https://docs.automic.com/documentation/webhelp/english/AWA/12.1/DOCU/12.1/AWA%20Guides/help.htm#AWA/Admin/admin_UC_CLIENT_SETTINGS.htm?Highlight=KDC_LOGIN_FORCED%20

When KDC_LOGIN_FORCED is set to Y in a client (here client 100) the authentication never completes, AWI returns a HTTP code 401.

 

In login panel this message comes up:

================================================================================================
com.uc4.ecc.backends.exceptions.AutomationEngineAPIException: [HTTP 401] (45107) Cannot logon to Automation Engine.: The credentials are not valid.
================================================================================================

In AWI log Debug Mode similar messages to this can be found:

================================================================================================
2020-12-02 10:35:14,073 pool-2-thread-21    [DEBUG] UC4_UP:100/05020323/DOMDIBACORP NOUI 0000000896356094 +52 [mework.core.async.BaseRequestCoordinator] - Query with hashCode 23671096 has just failed due to: java.lang.RuntimeException: com.uc4.ecc.backends.exceptions.AutomationEngineAPIException: [HTTP 401] (45107) Cannot logon to Automation Engine.: The credentials are not valid.
java.lang.RuntimeException: com.uc4.ecc.backends.exceptions.AutomationEngineAPIException: [HTTP 401] (45107) Cannot logon to Automation Engine.: The credentials are not valid.
at com.uc4.ecc.framework.entrypoint.login.ae.AECredentialsPresenter.login(AECredentialsPresenter.java:218)
.....
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: com.uc4.ecc.backends.exceptions.AutomationEngineAPIException: [HTTP 401] (45107) Cannot logon to Automation Engine.: The credentials are not valid.
... 9 common frames omitted
Caused by: com.uc4.api.rest.exceptions.NotAuthorizedException: [HTTP 401] (45107) Cannot logon to Automation Engine.: The credentials are not valid.
at com.uc4.api.rest.common.requests.RestJsonRequest.handleDefaultErrors(RestJsonRequest.java:65)
at com.uc4.api.rest.common.requests.RestJsonRequest.handleErrorResponse(RestJsonRequest.java:48)
....
================================================================================================

JCP traces with Tcp/ip=2 Database=4 Rest=2 raises messages similar to the following lines

================================================================================================
20201202/103514.063 - 37   UCUDB32 CMIT RET 0000 HSTMT: 0000000000000217 VALUE: 0000000000000000 ALL: 0.00400 DB: 0.00000 ODBC: 0.00000 UDB: 0.00000
20201202/103514.063 - 30   U00045099 Der Server antwortete mit folgendem Status: '401'
20201202/103514.063 - 30        Response-Headers: [Content-Type=application/json,WWW-Authenticate=Basic realm="AUTOMIC"]
20201202/103514.063 - 30        Response-Payload:
20201202/103514.063 - 37        Record found -> read again.
20201202/103514.064 - 37   SELECT MQCP_PK,MQCP_CAddr,MQCP_BAcv,MQCP_BAddr,MQCP_BSRName,MQCP_Status,MQCP_Msg,MQCP_BTable,MQCP_CSRName,MQCP_PhysAddr FROM MQ1CP010 FOR UPDATE SKIP LOCKED
20201202/103514.068 - 30        {
20201202/103514.068 - 30         "code" : 45107,
20201202/103514.068 - 30         "error" : "Cannot logon to Automation Engine.",
20201202/103514.068 - 30         "details" : "The credentials are not valid."
20201202/103514.068 - 30        }
================================================================================================

This authentication mode works fine in the Java GUI!.
Authentication on the same client 100 with the KDC_LOGIN_FORCED not set to yes works correctly in AWI.

 

 

Cause

This is a bug introduced and detected in version 12.2.7 and 12.3.4 of the AWI

Environment

Release : 12.2 and 12.3 Automic Web Interface

Resolution

Resolution consists in updating AWI and AE to  Automation.Engine versions:

-- 12.2.8 HF1

-- 12.2.9 

-- 12.3.6

-- 12.3.5 HF3